In message <e754e90906130925m6d9f723eh71090a331a427...@mail.gmail.com>, R Dicai
re writes:
> Hi folks,
> Can both nsec and nsec3 records be used simultaneously in a zone file,
> or is it an either/or?

        NSEC and NSEC3 chains are expected to exist in a zone during
        a incremental transition between the two ways of negatively
        signing a zone.  If there is a complete NSEC3 chain (indicated
        by a NSEC3PARAM record at the zone apex) servers are supposed
        to return NSEC3 proofs.

        NSEC3 is more expensive that NSEC is and really should not
        be used unless you need the features NSEC3 provide.  There
        are additional cost on both the authoritative servers and
        on the validating servers when you use NSEC3.

        TLD's can make use of OPTOUT which is why you see ORG and
        GOV using NSEC3.  End user zones generally can't make use
        of OPTOUT.

        Unless you really need to hide the presence of names in a
        zone then you shouldn't use NSEC3.

        Note:  NSEC3 is a waste of time for IN-ADDR.ARPA, IP6.ARPA
        and RBL type zones which use IP addresses as they are highly
        structured and you can enumnerate the contents without
        walking the NSEC chain.

        Mark
 
> Thanks
> -- 
> aRDy Music and Rick Dicaire present:
> http://www.ardynet.com
> http://www.ardynet.com:9000/ardymusic.ogg.m3u
> _______________________________________________
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: ma...@isc.org
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to